Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Configuration Example - MPLS flex filter to match payload source and destination IP addresses at the same time

1

0

Article ID: KB36564 KB Last Updated: 12 Mar 2021Version: 2.0
Summary:

Flex filters can be used in an MX Trio family. They can be used to match L2, L3, L4 or payload locations. Additional offset criteria can be specified, thereby enabling pattern matches at custom, user-defined locations within a packet.

You may need to match more than one criteria at the same time. There's a limitation in flex filter that can only match up to 32 bit, thus matching payload source IP and destination IP at the same time in the same term is not possible. This article provides an example to match payload source IP and destination IP at the same time. 

Symptoms:
TOPO:CE1(Src IP – 10.10.10.10 )<---->PE1(xe-0/0/0)<---->P<---->PE2<---->(Dst IP – 66.66.66.66)CE2

Flow on PE1 mpls core facing interface xe-0/0/0:

  • Output direction flows,  source ip 10.10.10.10 destination ip 66.66.66.1-66.66.66.66
  • Input direction flow, source ip 66.66.66.66 destination ip 10.10.10.10
  • ​Source IP 11.11.11.11 hex: 0b0b0b0b
  • Destination IP 66.66.66.66 hex: 42424242
Solution:

Example of flex filter with explanation:

flexible-match-mask and flexible-match-range are two different match types, their function is almost same, use anyone is okay.

user@mx# show firewall 
family mpls {
    filter output_mpls {        
        interface-specific;
        term 1 {
            from {
                flexible-match-mask {
                    mask-in-hex 0xffffffff; <-- Mask out bits in the packet data to be matched
                    prefix 0x0b0b0b0b; <-- source IP 10.10.10.10
                    flexible-mask-name sip;  <-- select predefined template, template defined start point to match in packet,offset,match length etc
                }
                flexible-match-range {
                    range 0x42424201-0x42424242;  <-- destination IP range from 66.66.66.0 to 66.66.66.66
                    flexible-range-name dip; <-- select predefined template
                }
            }
            then {
                count output_mpls;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
    filter input_mpls {
        interface-specific;
        term 1 {
            from {
                flexible-match-mask {
                    match-start payload; <-- Not use template, define start point to match in filter directly
                    byte-offset 12;
                    bit-length 32;
                    mask-in-hex 0xffffffff;
                    prefix 0x42424242;
                }
                flexible-match-range {
                    match-start payload;
                    byte-offset 16;
                    bit-length 32; 
                    range 0x0b0b0b0b;
                }
            }
            then {
                count input_mpls;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}
flexible-match dip {   <-- flexible-match template name, it can be re-used
    match-start payload; <-- start from MPLS payload 
    byte-offset 16; <-- 16 for destination ip offset 
    bit-offset 0;
    bit-length 32;
}
flexible-match sip {  <-- flexible-match template name, it can be re-used 
    match-start payload;  <-- start from MPLS payload 
    byte-offset 12;  <-- 12 for source IP offset 
    bit-offset 0;
    bit-length 32;
}

set interface xe-0/0/0 unit 0 family mpls filter input input_mpls 
set interface xe-0/0/0 unit 0 family mpls filter output output_mpls 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search